Skip to content

Publish reusable workflows: rg-ci / rg-security / rg-release #117

Description

@jmcte

Context

The org CI/CD audit (docs/omt-global-ci-cd-audit-2026-04-14.md) names github-runner-fleet as the release-isolation reference and recommends:

Extend its policy into explicit rg-ci / rg-security / rg-release governance

and

Use as the source repo for reusable PR/security/release workflows

pr-fast-ci.yml, extended-validation.yml, and release-image.yml already encode the right patterns, but they are repo-local and cannot be consumed from downstream repos via workflow_call. #28 covers the docs side (shell-safe workflow cookbook); this issue is the artifact side.

Scope

  • Carve out workflow_call reusable workflows under .github/workflows/ (or a sibling reusable/ directory) for:
    • rg-ci.yml — cheap PR gate template (lint/test/build, shell-safe runner allowlist)
    • rg-security.yml — wraps the security scan workflow added in the security-scanning issue (CodeQL / dep-review / OSV) on hosted runners only
    • rg-release.yml — signed-image / OIDC-only release template, derived from release-image.yml
  • Each reusable workflow exposes minimal, well-typed inputs and secrets: inherit boundaries.
  • Each one pins external actions by SHA and constrains permissions: to least-privilege.
  • Add an example consumer snippet to docs/workflow-cookbook.md showing how a downstream repo references each workflow with uses: OMT-Global/github-runner-fleet/.github/workflows/rg-*.yml@<tag>.
  • Validate via a smoke-style test (or a separate test-consumer repo / matrix job) that each reusable workflow is callable.

Acceptance Criteria

  • A downstream repo can adopt the org standard with three uses: lines instead of copying YAML.
  • Inputs and required secrets are documented in the workflow file header.
  • README or docs/workflow-cookbook.md links the canonical reference for each reusable workflow.
  • The repo's own CI continues to use CI Gate as the single required status check.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:infraInfrastructure, CI, release, governance, scripts, or repo setup.github_actionsPull requests that update GitHub Actions codepriority:P1Codex Connector P1; blocks execution until Athena and Ares validate.risk:highHigh-risk change; validation required.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions